In modern communication networks, security is a vital issue, and attacks on network security tend to be increasing in terms of both number and complexity.
In computer security, covert channels are used by attackers to create capabilities to transfer information between processes that are not supposed to be communicating with each other. Covert channels are hidden from the access control mechanisms of secure operating systems since they do not use legitimate data transfer mechanisms and therefore cannot be detected easily.
For example, it is evident that if an attacker has a visibility to all encrypted traffic passing for example through all Tor-network nodes, then he/she could do correlation analysis and conclude which connections entering the Tor-network correspond to which connections exiting the Tor-network. This would in effect defeat the purpose of the Tor-network altogether.
Duqu2 is one example of an advanced persistent threat (APT) type version of malware that has infected computers in local area networks (LAN) by setting different roles or functions for the computer devices. FIG. 1 illustrates one example of this kind of an attack where one of the devices 100, 200 with high uptime were acting as an Internet gateway 730 and few of the devices with high uptime were acting as domain controllers 700 or terminal servers 720. Most of the other devices were client devices 100, 200. What is to note about these differing roles of these devices is that communication protocols or ports used between the different roles also differ. For example malware in clients and domain controllers communicate with each other through Windows pipes, malware in domain controllers and gateway communicate with each other through SMB or RDP protocols, and malware in gateway communicates with the attacker in the Internet by using port 443 for making the traffic look like it was HTTPS. Further, some of the modules in client computers are interactive in nature (“24B7—Remote desktop administration”, “9224—Run console applications”) while other modules are not (“0682—Collects basic system information”, “09A0—64-bit, Exfiltrates file contents”, “0AB8—Provides 25 functions for manipulating files and directories”. For someone looking at the traffic in LAN or exiting LAN, it all looks normal: devices seem, to communicate with each other with protocols that they are expected to use.
There is a need to detect covert channel traffic such as this and to prevent security threats caused by covert channels to computer systems.